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DETAILED ACTION 

1. This Office action is responsive to the following communication: Amendment filed on 23 January 
2008. 

2. Claims 98-104 are pending and present for examination. 

Continued Examination Under 37 CFR 1.114 

3. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued 
examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the 
finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's 
submission filed on 23 January 2008 has been entered. 

Response to Amendment 

4. No claims have been amended. 

5. Claims 89-97 have been cancelled. 

6. Claims 98-104 have been added. 

Information Disclosure Statement 

7. The information disclosure statement (IDS) submitted on 23 January 2008 is in compliance with 
the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by 
the examiner. 

Claim Rejections - 35 USC § 102 

8. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis 
for the rejections under this section made in this Office action: 
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A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use 
or on sale in this country, more than one year prior to the date of application for patent in the United States. 

9. Claim 98 is rejected under 35 U.S.C. 102(b) as being anticipated by Bapat et al (U.S. Patent No. 
6,038,563, hereinafter referred to as BAPAT), filed on 25 March 1998, and issued on 14 March 2000. 

10. As per independent claim 98, BAPAT teaches: 

A computer readable medium having code to perform a computer implemented method 
for protecting a database hosted on a server, comprising: 

installing a console on a remote computer system for monitoring activity on the 
database {See BAPAT, C8:L17-29, wherein this reads over "each auxiliary server 152, 154 includes 
the same hardware and software elements found in the MIS ... [and] each have just one interface 
160/166 for receiving access requests"}; 

presenting the installed console through a user interface {See bapat, cii:L39-5i, wherein 

this reads over "[t]he Access Control Configuration procedures 210 presents a graphical user 
interface 212 to users authorized to modify the access control tree"}; 

registering a listener agent with the console {See bapat, ci6:L66-ci7:Li4, wherein this reads 
over "[a] set of filters 291, 294, in the log server 290 determine which event notifications are 
stored"}; 

the listener agent being installed on the server hosting the database {See bapat, 

C16:L55-66, wherein this reads over "the log server" and "[t]he log server 290 is preferably a 
software entity or process that runs on the same computer or computer node as the MIS"}; 

establishing a secure connection between the console and the listener agent {See 

BAPAT, Figure 3}; 

configuring the listener agent with a first set of rules having a set of security 

attributes {See BAPAT, C17:L3-14, wherein this reads over "[t]his filter 291 passes "access grant" 
and "access denial" event notifications generated by the MIS"}; 

installing a collector agent to be in communication with the listener agent for 

Collecting a plurality Of database events {See BAPAT, C17:L3-14, wherein this reads over 
"[t]his filter 291 passes "access grant" and "access denial" event notifications generated by the 
MIS"}; 

deconstructing the plurality of database events into a plurality of atomic messages 

{See BAPAT, C18:L24-27, wherein this reads over "[u]ser queries requesting information from tables 
to which the user does not have access rights are rejected by the SQL engine"}; 

analyzing the plurality of atomic messages for compliance with the first set of rules 

{See BAPAT, C17:L15-19, wherein this reads over "a Security Alarm log 293 that is separate from the 
security audit trail 192, where security alarms are generated and stored in the log only when there is 
a denial of object access"}; 
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executing compliant database events {See BAPAT, C18:L19-27, wherein this reads over "only 
queries in full compliance with those access rights are processed"; and C28:L31-37, wherein this 
reads over "[a]ccess is allowed only for the objects to which the user has appropriate access 
rights"}; 

sending a signal to a console operator when a database event is not compliant with 

the first set of rules {See BAPAT, C12:L19-26, wherein this reads over "[i]f a match is found, the 
request is denied, and a response is returned to the initiator if appropriate"}; 

allowing a console operator create exceptions to when signals are sent by the 

listener agent {See BAPAT, C11:L39-51, wherein this reads over "users authorized to modify the 
access control tree"}; 

updating the first set of rules with the exceptions created by the console operator 

{See BAPAT, C11:L39-51, wherein this reads over "users authorized to modify the access control 
tree"}; 

storing the signals received by the console operator in a data file residing with the 

console {See BAPAT, C12:L56-57, wherein this reads over "[t]he deny/grant decision for each 
access request may be stored in a security audit trail"}. 

11. As per independent claim 101, BAPAT teaches: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether an executable SQL statement contains a write operation to 

a data dictionary {See BAPAT, C6:L4-11, wherein this reads over "[i]f a suspicious directory 
name is found 68, the control function is notified"}; 

preventing the data dictionary from being written to {See bapat, ci2:Li9-26, wherein 

this reads over "[i]f a match is found, the request is denied, and a response is returned to the 
initiator if appropriate"}. 

12. Claim 99 is rejected under 35 U.S.C. 103(a) as being unpatentable over BAPAT as applied to 
claims 89 and 90, and further in view of Shostack et al (U.S. Patent No. 6,298,445, hereinafter referred 
to as SHOSTACK), filed on 30 April 1998, and issued on 2 October 2001. 

13. As per dependent claim 99, BAPAT, in combination with SHOSTACK, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether the plurality of atomic database events include an executable 
SQL statement that exploits a buffer overflow vulnerability in the database {See 

SHOSTACK, Table 1, wherein this reads over "Check for known bugs in the servers . . that are 
vulnerable to buffer overflow attacks" and "X-windows. Check for open permissions that allow 
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snooping of remote X session, unpatched libraries and executables vulnerable to buffer overflow 
attacks"}; 

preventing the executable SQL statement from executing {See bapat, ci2:Li9-26, wherein 

this reads over "[i]f a match is found, the request is denied, and a response is returned to the 
initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method of "processing the plurality of database events 
by detecting whether an executable SQL statement exploits a buffer overflow vulnerability in the 
database," SHOSTACK discloses a method of check for buffer overflow vulnerabilities. Therefore, it would 
have been obvious to one of ordinary skill in the art at the time the invention was made to modify the 
above invention suggested by BAPAT by combining it with the invention disclosed by ROWLAND. 

One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

14. Claim 100 is rejected under 35 U.S.C. 103(a) as being unpatentable over BAPAT as applied to 
claims 89 and 90, and further in view of Reshef et al (U.S. Patent No. 6,321,337, hereinafter referred to 
as RESHEF), filed on 9 September 1998, and issued on 20 November 2001. 

15. As per dependent claim 100, BAPAT, in combination with RESHEF, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing futher 
comprises the steps of: 

detecting whether an executable SQL statement includes an operating system call {See 

RESHEF, C10:L 21-35, wherein this reads over "[a]ny breach of the permitted flow sequences by 
disorderly operating system calls or looping will be trapped and logged"}; 

preventing the executable SQL statement from making the operating system call {See 

BAPAT, C12:L19-26, wherein this reads over "[i]f a match is found, the request is denied, and a response 
is returned to the initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method of "detecting an executable statement includes 
an operating system call," RESHEF discloses a method of checking for operating system calls which result 
in a breach of permitted flow sequences. Therefore, it would have been obvious to one of ordinary skill 
in the art at the time the invention was made to modify the above invention suggested by BAPAT by 
combining it with the invention disclosed by RESHEF. 
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One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

16. Claims 102-104 are rejected under 35 U.S.C. 103(a) as being unpatentable over BAPAT as 
applied to claims 89 and 90, and further in view of Rowland (U.S. Patent No. 6,405,318, hereinafter 
referred to as ROWLAND), filed on 12 March 1999, and issued on 11 June 2002. 

17. As per dependent claim 102, BAPAT, in combination with ROWLAND, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether an executable SQL statement alters a set of auditing 
configurations existing on the database {See Rowland, C5:L6i-67, wherein this reads 

over "name a local directory in an odd way to hide their work"}; 

preventing the set of auditing configurations from being altered {See bapat, ci2:Li9-26, 

wherein this reads over "[i]f a match is found, the request is denied, and a response is returned to 
the initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method "wherein said unauthorized activity is interfering 
with auditing settings," ROWLAND discloses a method wherein suspicious directory activity is detected 
{See ROWLAND, C5:L61-67}. Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the above invention suggested by BAPAT by combining it with 
the invention disclosed by ROWLAND. 

One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 

18. As per dependent claim 103, BAPAT, in combination with ROWLAND, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises the steps of: 

determining whether an executable SQL statement includes a write operation to a set 
of audit records existing in a log file {See Rowland, C6:L4-ii, wherein this reads over 

"[t]he system checks to determine if the system audit records have been altered or are missing"}; 

preventing the audit records existing in the log file from being written to {See bapat, 

C12:L19-26, wherein this reads over "[i]f a match is found, the request is denied, and a response is 
returned to the initiator if appropriate"}. 



Application/Control Number: 10/798,079 
Art Unit: 2161 



Page 7 



While BAPAT fails to expressly disclose a method "wherein said unauthorized activity is interfering 
with audit records," ROWLAND discloses a method wherein "[t]he system checks to determined if the 
system audit records have been altered or are missing" {See ROWLAND, C6:L4-11}. Therefore, it would 
have been obvious to one of ordinary skill in the art at the time the invention was made to modify the 
above invention suggested by BAPAT by combining it with the invention disclosed by ROWLAND. 

One of ordinary skill in the art would have been motivated to do this modification so that 

suspicious or malicious activity may be detected and prevented accordingly. 

19. As per dependent claim 104, BAPAT, in combination with ROWLAND, discloses: 

The computer readable medium having code to perform the computer implemented 
method for protecting the database of Claim 98, wherein the step of analyzing 
further comprises: 

the steps of: determining whether an executable SQL statement includes an attempt 
by a user to obtain administrator access by changing a configuration file in the 
database {See ROWLAND, C5:L53-56, wherein this reads over "[t]he system examines the rhost 
file and other system authentication files to determine if dangerous security modifications to the host 
file have occurred"}; 

preventing the configuration file in the database from being changed {See bapat, 

C12:L19-26, wherein this reads over "[i]f a match is found, the request is denied, and a response is 
returned to the initiator if appropriate"}. 

While BAPAT fails to expressly disclose a method "wherein said unauthorized activity is modifying 
security settings," ROWLAND discloses a method wherein "[t]he system examines the rhost file and other 
system authentication files to determine if dangerous security modifications to the host file have 
occurred" {See ROWLAND, C5:L53-56}. Therefore, it would have been obvious to one of ordinary skill in 
the art at the time the invention was made to modify the above invention suggested by BAPAT by 
combining it with the invention disclosed by ROWLAND. 

One of ordinary skill in the art would have been motivated to do this modification so that 
suspicious or malicious activity may be detected and prevented accordingly. 



Response to Arguments 
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20. Applicant's arguments filed 23 January 2008 have been fully considered but they are not 

persuasive. 

a. Non-Analogous Art Argument 

Reshef reference is nonanalagous art because Reshef does not address the problem 
solved by the Applicant." See Amendment, page 19. The Examiner respectfully disagrees. In 
response to applicant's argument that Reshef is nonanalogous art, it has been held that a prior 
art reference must either be in the field of applicant's endeavor or, if not, then be reasonably 
pertinent to the particular problem with which the applicant was concerned, in order to be relied 
upon as a basis for rejection of the claimed invention. See In re Oetiker, 977 F.2d 1443, 24 
USPQ2d 1443 (Fed. Cir. 1992). In this case, Reshef is directed to "methods and systems for 
preventing unauthorized access to computers and networks and for assuring the security of 
applications executing on computers and networks." Wherein the present invention is directed to 
protecting database applications from unauthorized activity, the network security aspects 
disclosed by the Reshef reference would indeed be reasonably pertinent to the claimed features 
of the present invention. 



Conclusion 

21. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to PAUL KIM whose telephone number is (571)272-2737. The examiner can normally be 
reached on M-F, 9am - 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Apu 
Mofiz can be reached on (571) 272-4080. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 



Application/Control Number: 10/798,079 Page 9 

Art Unit: 2161 

Information regarding the status of an application may be obtained from the Patent Application 
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/Apu M Mofiz/ Paul Kim 

Supervisory Patent Examiner, Art Unit 2161 Examiner, Art Unit 2161 
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